Symantec Calls a Quorum with Reputation-Based Tech

Integrated into Norton Internet Security 2010 and Norton AntiVirus 2010, Quorum pulls together knowledge gained from anonymous software patterns within its volunteer user community and data from Symantec’s research labs to automatically detect malware executables and files affected by malware.

Symantec says it wants to take advantage of the wisdom of crowds with a new reputation-based malware technology that it made available to the channel this week.

The company took the wraps off of the technology, dubbed Quorum, as it released its latest 2010 Norton line-up. Integrated into Norton Internet Security 2010 and Norton AntiVirus 2010, Quorum pulls together knowledge gained from anonymous software patterns within its volunteer user community and research gathered by Symantec’s research labs to automatically detect malware executables and files affected by malware.

"For the last three years we have been collecting telemetry data from customers who participate in the program called Norton Community Watch, giving us information about various security events on their machines, files of interest and so on," says Zulfikar Ramzan, architect and technical director for Symantec’s security technology and response group. "What we've done on the back end is applied a number of large scale data mining and statistical machine learning techniques in order to take that data and to use it to infer whether an arbitrary file is good or bad based on what we know about it from our community."

Ramzan says this latest breakthrough is yet another advance that gives Norton antivirus an edge over previous iterations that depended solely on signature-based detection technology.

"If you look at traditional antivirus software, it has taken on what I consider to be very much a myopic view of the world where it looks at what one application is doing on one machine at one point in time," he says. "We've opened up the intelligence of our research base to look at what an application might be doing across the spectrum of machines. That allows us to make a much more intelligent decision about whether a file is good or bad on the machine."

Symantec believes that Quorum will offer channel partners who sell Norton a good amount of differentiation by leveraging not just the most-recognized brand in security, but also really taking advantage of the overabundance in resources offered by the company. According to Ramzan, Quorum taps into information from more than 35 million user machines.

"Where I think this becomes really interesting from the reseller and channel perspective is that what Symantec is really doing for the first time in the large scale is really taking advantage of its size and the amount of intelligence it has to provide a benefit directly back to the customer, and that's really kind of the unique value proposition," he says.
In addition, Ramzan says that users will see a significant performance boost due to Quorum, something that may come as a breath of fresh air to channel partners used to fielding calls about Symantec bogging down the endpoints.

"We can now harness and focus our energy on files we suspect to be bad rather than ones that we already know to be good and that ultimately leads to a significant performance improvement," he says.

From a value-add standpoint, channel partners may also be interested in leveraging the shift that Quorum naturally starts toward a risk management model of security. As channel customers begin assessing files with certain reputation scores, they’ll need to establish and enforce policies based on those scores—a perfect opportunity for the channel to step in and assist during the process.

"We provide that ability to do more refined risk management than I think we could have in the past where we were just arbitrarily calling things good or bad. That's the beauty of the whole thing. Ultimately reputation is conceptual," Ramzan says. "Even though a certain file might have a certain reputation, the reputation that I may be willing to accept may be very different from what you would be willing to accept. So the reality is that we can score a file, but ultimately there has got to be a policy in place that will decide whether that score is one you're willing to accept."